Am Tuesday 27 April 2004 02:58 pm schrieben Sie:
Hello Frank,
Thanks for your help!
> > access to attr=userPassword
> > by group="cn=admin,base_dn" write
> > by group="cn=maintainer,base_dn" write
> > by self write
> > by anonymous auth
> > by * none stop
> >
> > To my surprise the admin and maintainer users are able to _read_ the
> > userPassword attribute. I expect that users are able to authenticate and
> > to set the password but nobody is allowed to read the password.
>
> Why did it surprise you?
Because I followed blindly the UserPassword example in the Admin Guide
(Chapter 5.4) without reading and understanding every other chapter ;-)
(the example allows the administrator to read the password of an user)
> You did read the slapd.access man page and the
> administrators guide before you started didn't you? They both tell you
> that all accesses include lower level accesses, therefore write includes
> read, auth, search, and compare.
I changed it now to:
access to attr=userPassword
by group="cn=admin,dc=com" =wx
by group="cn=maintainer,dc=com" =wx
by self =wx
by anonymous =x
by * none stop
and it works as expected.
Regards,
-- martin
Dipl.-Phys. Martin Konold
e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold@erfrakon.de